Download FDroid.apk and verify it with GnuPG

I've been asked several times now how one can get a verified copy of F-Droid. So here's a simple step by step explanation.

Please note that F-Droid recommends to install privileged extension. It enables a seamless app installation and update experience. So installing the APK only makes sense when you can't install F-Droid privileged extension.

Start out by getting F-Droids signing key:

gpg --keyserver keyserver.ubuntu.com --recv-keys 802A9799016112346E1FEFF47A029E54DD5DCE7A

Next let's get the apk and signature file:

wget https://f-droid.org/FDroid.apk
wget https://f-droid.org/FDroid.apk.asc

now, lets verify it:

gpg --verify-files FDroid.apk.asc

Great, it's verified now you can use Bluetooth, ADB or whatever to copy/install the APK to your phone.

Of course this is just fetching everything from the internet. So it's essential to really make sure you've fetched the correct key.

systemd service definitions sometimes fail silently

Today I've added a systemd service definition, but it didn't show up as a service when running systemctl list-units. I took me a while to figure out how to ask systemd if there's anything wrong with my .service file. The easiest way to get infos about broken service files I could find is to run:

systemd-analyze verify my.service

If that doesn't work, make sure the file is in the correct path. (/etc/systemd/system/*.service) Once all typos/bugs/etc. are fixed don't forget to run systemctl daemon-reload to make sure systemd is aware of the new unit.

Install Debian 10 on Lenovo D330-10IGM

I recently helped setting up a cheap used Lenovo D330-10IGM. I realy like compact 10 inch notebook table convertibles like this. Too bad such machines always come with Windows 10 preinstalled. So I of course the first thing I'm going to do is installing my favourite operating system: Debian. This is quite a process and in case I'll need to retrace my steps I'm writing them down here:

  1. Prepare USB Flash-Drive with a Debian Installer
    • download debian installer iso, it's easiest to get an unofficial image with non-free drivers included (https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/). I prefer gnome, but it should work fairly similar with most desktop envirionments.
    • connect a big enough usb drive (the debian image i used required ~4GB)
    • flash it to a usb drive. eg on a debian system you can just run: sudo dd if=~/Downloads/debian-live-10.2.0-amd64-gnome+nonfree.iso of=/dev/yourusbdrive bs=8K
    • optional tip: once dd finishes run sync to wait for the OS to write buffered data to your flash drive
  2. Lets start by disabling Secure Boot and check that USB boot is enabled:
    • make sure your D330 is shut down
    • Press [Volume Up] + [Power] until the backlight comes on. This will bring the machine into UEFI mode.
    • click: BIOS Setup
    • click: Security (on the left side)
    • click: Secure Boot (you want this to be disabled)
    • click: Boot (on the left side)
    • check that USB Boot is set to enbaled
    • click: Save and Exit (lower right)
    • click: yes (to save changes)
  3. Install Debian (gnome):
    • make sure your D330 is shut down
    • plug your usb previously prepared drive in
    • Press [Volume Up] + [Power] until the backlight comes on. This will bring the machine into UEFI mode.
    • click: Boot Menu
    • click: Linpus lite (SanDisk) (I'm using a SanDisk Flash drive, this is probably labeled differently when you try.)
    • select to boot the live version in the bootloader (nevermind that the bootloader is flipped 90°, booting might also take a while)
    • once gnome booted click the activities hot-corner (right top in gnome)
    • click debian installer to start it (usually the first item dock on the left)
    • configure everything to your liking.
    • manual disk setup is currently required, I removed all existing windows partitions and set the partitions it up like this:
      • 1st partition - mount point: /boot, flags: legacy-boot, size: 200MB, fs: ext2
      • 2nd partition - mount point: /boot/efi, flags: boot, site: 55MB, fs: fat32
      • 3rd partition - mount point: /, flags: none, size: the rest of the avialable space, fs: ext4
      • (note: I didn't configure a swap partition because I want the eMMC to last as long as possible)

That's pretty much it. Everything important seems to be working. After waking up from power saving mode both the trackpad and keyboard are not working anymore. A simple workaround is to just disconnect the tablet and re-attach it, so I didn't look any further into this as of now.

extract - display meta-data of files

Occasionally I'm dealing with files that are opaque to me. file helps a lot with getting a rough idea of what I'm looking at. Today I discovered extract though. It's a command line tool like file but it doesn't only guess the file type. It also tries to parse metadata from the file and displays it. For now I tested it with audio and image files and it happily displayed ID3 and EXIF infos. This is quite handy.

install additional language Spell-checks on Debian

Some applications on Debian got spell-checking built in. eg. LibreOffice, vim, etc. There are a couple of libraries for spell-checking packaged for Debian. Sofar I'm aware of three. So this is what I install to make sure I've got German spell-checking available in most applications:

# install de dictionaries for most apps:
sudo apt install aspell-de myspell-de-de hunspell-de-de

# libre office needs some extra love thou:
sudo apt install --install-suggests libreoffice-l10n-de

set bluetooth to disabled by default on debian 10

I'm not sure why Debian developers think it's good to enable bluetooth automatically on boot. I think this is a privacy issue and would prefer bluetooth to be "opt-in". So here's how to make sure bluetooth is turned off by default:

# install tool for disabling bluetooth
# it's a shame debian has no api for this!

sudo apt install rfkill

# setup systemd unit

cat << EOF | sudo bash -c 'cat > /etc/systemd/system/disable-bluetooth-on-startup.service'
Description=Make shure Bluetooth is disabled on system start.

ExecStart=rfkill block bluetooth


# enable systemd unit

sudo systemctl enable disable-bluetooth-on-startup

fix suspending ThinkPad S1 Yoga on Debian 10

On Debian 10 suspending ThinkPad S1 Yoga does not work for me. When I call systemctl suspend the device suspends and instantly wakes up again. I could fix it by flicking the XHC switch in /proc/acpi/wakeup. I used to use persist this in /etc/rc.local in the past. But it's not there anymore on Debian 10. So here's how I persisted this using a systemd unit:

cat << EOF | sudo bash -c 'cat > /etc/systemd/system/thinkpad-s1-suspend-fix.service'

ExecStart=bash -c 'grep 'XHC.*enabled' /proc/acpi/wakeup && echo XHC > /proc/acpi/wakeup'


Now lets tell systemd to apply this fix on boot and also apply it right now:

sudo systemctl enable thinkpad-s1-suspend-fix.service
sudo systemctl start thinkpad-s1-suspend-fix.service

os game clones index

Too bad most computer games are non-free. But there are suprisingly many libre games. They're not necessarily on par with their prorietary counterparts, but they're fun too. Here's a curated list of libre games: https://osgameclones.com

Mozilla TLS configuration generator

When you're new to web hosting, finding decent TLS settings is not trivial. Retrospectively a lot of time I've put into this feels wasted, because finding optimal TLS settings basically is a never ending scientific effort. IMHO web-servers should be pre-configured for getting you decent TLS scores, but they're not.

The next best thing to getting a sane default configuration is using a well-maintained configuration generator. Luckily Mozilla is publishing one:


It's a super useful tool, because crafting good TLS configurations requires a lot of expertise. While this saved me quite some time and headaches, it's probably still a good idea to test those generated TLS configs against SSL Test, Mozilla Observatory, etc. Double-checking is important when doing security relevant stuff.

carousels are annoying still

It feels to me, that carousels got out of fashion, or at least they rarely annoy me these days. Which is a good thing! Today thou I was confronted with a particularly annoying one. It's probably old news, but I occasionally still like to point people to:


I'm just glad my personal carousel cringe frequency went down over the last view years.